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REAL PARTY IN INTEREST 

The real party in interest in the present Appeal is International Business Machines 
Corporation, the Assignee of the present application as evidenced by the assignment recorded at 
Frame 014971 of Reel 0014. 

RELATED APPEALS AND INTERFERENCES 

There are no other appeals or interferences known to Appellants, the Appellants' legal 
representative, or assignee, which directly affect or would be directly affected by or have a 
bearing on the Board's decision in the pending Appeal. 

STATUS OF CLAIMS 
Claims 1-30 were originally presented. Claims 1-30, which comprise all pending claims, 
stand finally rejected by the Examiner as noted in the Final Office Action dated October 17, 
2008. The rejection of Claims 1-30 is appealed. 

STATUS OF AMENDMENTS 
Appellants' Amendment A, dated July 11, 2008, was entered by the Examiner. No 
amendments to the claims have been proposed or entered subsequent to the final rejection that 
leads to this appeal. 

SUMMARY OF THE CLAIMED INVENTIONS 

Independent Claim 1 recites a method for operating a communication network (Page 5, 
lines 18-34; Page 6, lines 1-6; FIG. 1). According to the method, communication traffic is 
autonomously monitored at a communication port for an anomalous traffic (Page 7, % lines 9-15; 
Page 8, lines 25-30). An anomaly in detected in the communication traffic at a plurality of nodes 
in the communication network, wherein the anomaly is an attack other than a worm or virus 
(Page 8, lines 25-33; Page 9, lines 1-14; Figure 4, block 400). A first blocking measure A that 
stops the anomalous traffic is independently applied at respective ones of the plurality of nodes 
to the anomalous traffic (Page 9, lines 15-19; Figure 4, block 405). A second blocking measure 
B is independently determined, at the respective ones of the plurality of nodes such that 
application of a logical combination of the first blocking measure A and the second blocking 
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measure B to stop the anomalous traffic (Page 9, lines 19-25; Figure 4, block 410, Page 10, lines 
21-24; Figure 5, block 505). 

In addition to the features of independent Claim 1, Claim 2 recites that the independently 
determining step of independent Claim 1 further includes applying a logical combination of A 
and a second blocking measure B given by (A & !B) (Page 2, lines 21-26; FIG. 5, block 510) to 
the anomalous traffic, wherein the logical combination (A & !B) is a less restrictive blocking 
measure than a logical combination (A & B) (Page 2, Unes 21-26, FIG. 5, block 505) (Page 10, 
lines 9-11; Page 10, lines 21-24; Figure 5, block 510). Enforcing the logical combination (A & 
!B), if the logical combination (A & !B) stops the anomalous traffic (Page 10, lines 21-24; Figure 
5, block 510). 

In addition to the features of Claims 1-2, Claim 3 recites independently detennining a 
third blocking measure C (Page 2, lines 27-31; Page 11, lines 1-19), at the respective ones of the 
plurality of nodes, such that application of a logical combination of (A & !B) and the third 
blocking measure C to the anomalous traffic stops the anomalous traffic, if the logical 
combination (A & !B) stops the anomalous traffic (Page 11, lines 8-12). 

In addition to the features of Claims 1-2, Claim 4 recites that the independently 
detennining step of independent Claim 1 further includes applying a logical combination ( A & 
B) to the anomalous traffic if the logical combination (A & !B) does not stop the anomalous 

traffic (Page 9, lines 19-25; Figure 4, block 410, Page 10, lines 21-24; Figure 5, blocks 505, 520, 
and 535). Enforcing the logical combination (A & B), if the logical combination (A & B) stops 
the anomalous traffic (Page 9, lines 19-25; Figure 4, block 410, Page 10, lines 21-24; Figure 5, 
blocks 505 and 535). 

In addition to the features of Claims 1-2 and 4, Claim 5 recites independently 

determining a third blocking measure C, at the respective ones of the plurality of nodes, such that 
application of a logical combination of (A & B) and the third blocking measure C to the 
anomalous traffic stops the anomalous traffic, if the logical combination (A & B) stops the 
anomalous traffic (Page 11, lines 8-19). 
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In addition to the features of Claims 1-2 and 4, Claim 6 recites determining a third 
blocking measure C, at the respective ones of the plurality of nodes, such that application of a 
logical combination of A and the third blocking measure C to the anomalous traffic stops the 
anomalous traffic, if the logical combination (A & B) does not stop the anomalous traffic (Page 
11, lines 8-12). 

In addition to the features of independent Claim 1, Claim 7 recites that the detecting step 
of independent Claim 1 further include comparing the communication traffic to at least one 
anomaly factor (Page 9, lines 1-14). Detecting the anomaly in the communication traffic at the 
plurality of nodes in the commimication network if the at least one anomaly factor is present in 
the communication traffic (Page 9 lines 15-25). 

In addition to the features of independent Claim 1, Claim 8 recites assigning a severity to 
the detected anomaly (Page 9, lines 26-29) and wherein the step of independently applying the 
first blocking measxxre A to the anomalous traffic further comprises independently applying the 
first blocking measure A to the anomalous traffic at each of the pluraUty of nodes in the 
communication network that stops or reduces the flow of the anomalous traffic based on the 
severity of the detected anomaly (Page 9, lines 30-34). 

hi addition to the features of independent Claim 1, Claim 9 recites intentionally inserting 
the anomaly in the communication traffic (Page 12, lines 21-28). Associating the first blocking 
measure A and the second blocking measure B with the anomaly (Page 12, lines 28-321). 

Independent Claim 10 recites a method for operating a communication network (Page 5, 
lines 18-34; Page 6, lines 1-6; FIG. 1). According to the method, an aaomaly in detected in the 
contmiunication traffic at a plurality of nodes in the conmiunication network (Page 8, lines 25-33; 

Page 9, lines 1-14; Figure 4, block 400). A first blocking measure A is synchronously applied at 
respective ones of the plurality of nodes that stops the anomalous traffic (Page 3, lines 16-30; 
Page 9, lines 15-19; Figure 4, block 405). A second blocking measure B is synchronously 
determined, at the respective ones of the plurality of nodes such that the application of a logical 
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combination of the first blocking measure A and the second blocking measure B stops the 
anomalous traffic (Page 3, lines 16-30; Page 9, lines 19-25; Figure 4, block 410, Page 10, lines 
21-24; Figure 5, block 505). 

Independent Claim 1 1 recites a system (page 4, lines 1-3 and lines 28-30) for operating a 
conmiunication network (Page 5, lines 18-34; Page 6, lines 1-6; FIG. 1) including a processor 
(page 6, line 11; FIG. 2, processor 220) and a program means executing on the processor (page 
8, lines 6-13). The program means executing on the processor further includes: means for 
autonomously monitoring communication traffic at a communication port for an anomalous 
traffic (Page 7, % lines 9-15; Page 8, lines 25-30); means for detecting an anomaly in 
conmnmication traffic at a plurality of nodes in the communication network, wherein the 
anomaly is an attack other than a worm or virus (Page 8, lines 25-33; Page 9, lines 1-14; Figure 

4, block 400); means for independently applying, at respective ones of the plurality of nodes, a 
first blocking measure A to the anomalous traffic that stops the anomalous traffic (Page 9, lines 
15-19; Figure 4, block 405); and means for independently determining, at the respective ones of 
the plurality of nodes a, second blocking measure B such that application of a logical 
combination of the first blocking measure A and the second blocking measure B to stop the 
anomalous traffic (Page 9, lines 19-25; Figure 4, block 410, Page 10, lines 21-24; Figure 5, block 
505). 

In addition to the features of independent Claim 1 1, Claim 12 recites that the means for 
independently determining of independent Claim 11 further includes: means for applying a 
logical combination of A and a second blocking measure B given by (A & !B) (Page 2, lines 21- 
26; FIG. 5, block 510) to the anomalous traffic, wherein the logical combination (A & !B) is a 
less restrictive blocking measure than a logical combination (A & B) (Page 2, lines 21-26; FIG. 

5, block 505) (Page 10, lines 9-11; Page 10, lines 21-24; Figure 5, block 510); and means for 
enforcing the logical combination (A & !B), if the logical combination (A & !B) stops the 
anomalous traffic (Page 10, lines 21-24; Figure 5, block 510). 

In addition to the features of Claims 11-12, Claim 13 recites means for independently 
determining a third blocking measure C (Page 2, lines 27-31; Page 11, lines 1-19), at the 
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respective ones of the plurality of nodes, such that appUcation of a logical combination of (A & 
!B) and the third blocking measure C to the anomalous traffic stops the anomalous traffic, if the 
logical combination (A & !B) stops the anomalous traffic (Page 1 1, lines 8-12). 

hi addition to the features of Claims 11-12, Claim 14 recites that the means for 
independently determining of independent Claim 11 further includes: applying a logical 
combination (A & B) to the anomalous traffic if the logical combination (A & !B) does not stop 
the anomalous traffic (Page 9, lines 19-25; Figure 4, block 410, Page 10, lines 21-24; Figure 5, 
blocks 505, 520, and 535); and enforcing the logical combination (A & B), if the logical 
combination (A & B) stops the anomalous traffic (Page 9, lines 19-25; Figure 4, block 410, Page 
10, lines 21-24; Figure 5, blocks 505 and 535). 

In addition to the features of Claims 11-12 and 14, Claim 15 recites means for 
independently determining a third blocking measure C, at the respective ones of the plurality of 
nodes, such that application of a logical combination of (A & B) and the third blocking measure 
C to the anomalous traffic stops the anomalous traffic, if the logical combination (A & B) stops 
the anomalous traffic (Page 11, lines 8-19). 

In addition to the features of Claims 11-12 and 14, Claim 16 recites means for 
detennining a third-blocking measure C, at the respe^^ ones of the plurality of nodes, suchihat 
application of a logical combination of A and the third blocking measure C to the anomalous 
traffic stops the anomalous traffic, if the logical combination (A & B) does not stop the 
anomalous traffic (Page 11, lines 8-12). 

In addition to the features of independent Claim 11, Claim 17 recites that the means for 
detecting an anomaly of independent Claim 11 further includes means for comparing the 
communication traffic to at least one anomaly factor (Page 9, lines 1-14), and means for 
detecting the anomaly in the communication traffic at the plurality of nodes in the 
communication network if the at least one anomaly factor is present in the commimication traffic 
(Page 9 lines 15-25). 
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In addition to the features of independent Claim 11, Claim 18 recites means for assigning 
a severity to the detected anomaly (Page 9, lines 26-29), and wherein the means for 
independently applying the first blocking measure A to the anomalous traffic further comprises 
means for independently applying the first blocking measure A to the anomalous traffic at each 
of the plurality of nodes in the communication network that stops or reduces the flow of the 
anomalous traffic based on the severity of the detected anomaly (Page 9, lines 30-34). 

In addition to the features of independent Claim 11, Claim 19 recites means for 
intentionally inserting the anomaly in the communication traffic (Page 12, lines 21-28), and 
means for associating the first blocking measure A and the second blocking measure B with the 
anomaly (Page 12, lines 28-321). 

Independent Claim 20 recites a system (page 4, lines 1-3 and lines 28-30) for operating a 
communication network (Page 5, lines 18-34; Page 6, lines 1-6; FIG. 1). The system further 
includes: means for detecting an anomaly in the communication traffic at a plurality of nodes in 
the communication network (Page 8, lines 25-33; Page 9, lines 1-14; Figure 4, block 400); 
means for synchronously applying a first blocking measure A at respective ones of the plurality 
of nodes that stops the anomalous traffic (Page 3, lines 16-30; Page 9, lines 15-19; Figure 4, 
block 405); and means for synchronously determining A second blocking measure B at the 
respective ones of the. phjrality of nodes such that the application of a logical combination of the 
first blocking measure A and the second blocking measure B stops the anomalous traffic (Page 3, 
lines 16-30; Page 9, lines 19-25; Figure 4, block 410, Page 10, lines 21-24; Figure 5, block 505). 

Independent Claim 21 recites a computer program product (Page 4, lines 28-30) for 
operating a conomunication network (Page 5, lines 18-34; Page 6, lines 1-6; FIG. 1) including a 
tangible computer storage medium (Page 4, lines 31-33; Page 5, lines 1-4; FIG. 2, storage system 
225) having computer readable program code (Page 4, lines 31-33; Page 5, lines 1-4; FIG. 3, 
blocking measure processing 320) embodied therein. The computer readable program code 
further includes: computer readable program code configured to autonomously monitor 
communication traffic at a communication port for an anomalous traffic (Page 7, ]f[ lines 9-15; 
Page 8, lines 25-30); computer readable program code configured to detect an anomaly in 
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communication traffic at a plurality of nodes in the communication network, wherein the 
anomaly is an attack other than a womi or virus (Page 8, lines 25-33; Page 9, lines 1-14; Figure 
4, block 400); computer readable program code configured to independently apply, at respective 
ones of the plurality of nodes, a first blocking measure A to the anomalous traffic that stops the 
anomalous traffic (Page 9, lines 15-19; Figure 4, block 405); and computer readable program 
code configured to independently determine, at the respective ones of the plurality of nodes a, 
second blocking measure B such that application of a logical combination of the first blocking 
measure A and the second blocking measure B to stop the anomalous traffic (Page 9, lines 19-25; 
Figure 4, block 410, Page 10, lines 21-24; Figure 5, block 505). 

In addition to the features of independent Claim 21, Claim 22 recites that the computer 
readable program code of independent Claim 21 configured to independently determine fiirther 
includes: computer readable program code configured to apply a logical combination of A and a 
second blocking measure B given by (A & !B) (Page 2, lines 21-26; FIG. 5, block 510) to the 
anomalous traffic, wherein the logical combination (A & !B) is a less restrictive blocking 
measure than a logical combination (A & B) (Page 2, lines 21-26; FIG. 5, block 505) (Page 10, 
lines 9-11; Page 10, lines 21-24; Figure 5, block 510); and computer readable program code 
configured to enforce the logical combination (A & !B), if the logical combination (A & !B) 
stops the anomalous traffic (Page 10, lines 21-24; Figure 5, block 510). 

In addition to the features of Claims 21-22, Claim 23 recites computer readable program 
code configured to independently determine a third blocking measure C (Page 2, lines 27-31; 
Page 11, lines 1-19), at the respective ones of the plurality of nodes, such that application of a 
logical combination of (A & !B) and the third blocking measure C to the anomalous traffic stops 
the anomalous traffic, if the logical combination (A & !B) stops the anomalous traffic (Page 11, 
lines 8-12). 

In addition to the features of Claims 21-22, Claim 24 recites that the computer readable 
program code of independent Claim 21 that is configured to independently determine fiarfher 
includes: computer readable program code configured to apply a logical combination (A & B) to 
the anomalous traffic if the logical combination (A & !B) does not stop the anomalous traffic 
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(Page 9, lines 19-25; Figure 4, block 410, Page 10, lines 21-24; Figure 5, blocks 505, 520, and 
535); and computer readable program code configured to enforce the logical combination (A & 
B), if the logical combination (A & B) stops the anomalous traffic (Page 9, lines 19-25; Figure 4, 
block 410, Page 10, lines 21-24; Figure 5, blocks 505 and 535). 

In addition to the features of Claims 21-22 and 24, Claim 25 recites computer readable 
program code configured to independently determine a third blocking measure C, at the 
respective ones of the plurality of nodes, such that application of a logical combination of (A & 
B) and the third blocking measure C to the anomalous traffic stops the anomalous traffic, if the 
logical combination (A & B) stops the anomalous traffic (Page 11, lines 8-19). 

In addition to the features of Claims 21-22 and 24, Claim 26 recites computer readable 
program code configured to determine a third blocking measure C, at the respective ones of the 
plurality of nodes, such that application of a logical combination of A and the third blocking 
measure C to the anomalous traffic stops the anomalous traffic, if the logical combination (A & 
B) does not stop the anomalous traffic (Page 1 1, lines 8-12). 

In addition to the features of independent Claim 21, Claim 27 recites that the computer 
readable program code of independent Claim 1 1 that is configured to detect an anomaly fijrther 
mcludes computea; readable program code configured to compare the cormnimicatipn to at 
least one anomaly factor (Page 9, lines 1-14), and computer readable program code configured to 
detect the anomaly in the communication traffic at the plurality of nodes in the conmiunication 
network if the at least one anomaly factor is present in the communication traffic (Page 9 lines 
15-25). 

In addition to the features of independent Claim 21, Claim 28 recites computer readable 
program code configured to assign a severity to the detected anomaly (Page 9, lines 26-29), and 
wherein the computer readable program code is fiarfher configured to independentiy apply the 
first blocking measure A to the anomalous traffic further comprises means for independently 
applying the first blocking measure A to the anomalous traffic at each of the plurality of nodes in 
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the conrmunication network that stops or reduces the flow of the anomalous traffic based on the 
severity of the detected anomaly (Page 9, lines 30-34). 

hi addition to the features of independent Claim 21, Claim 29 recites computer readable 
program code configured to intentionally insert the anomaly in the communication traffic (Page 
12, lines 21-28), and computer readable program code configured to associate the first blocking 
measure A and the second blocking measure B with the anomaly (Page 12, lines 28-321). 

Independent Claim 30 recites a computer program product (Page 4, lines 28-30) for 
operating a communication network (Page 5, lines 18-34; Page 6, lines 1-6; FIG. 1) including a 
tangible computer storage medium (Page 4, lines 31-33; Page 5, lines 1-4; FIG. 2, storage system 
225) having computer readable program code (Page 4, lines 31-33; Page 5, lines 1-4; FIG. 3, 
blocking measure processing 320) embodied therein. The computer readable program code 
further includes: computer readable program code configured to detect an anomaly in 
communication traffic at a plurality of nodes in the conomunication network (Page 8, lines 25-33; 
Page 9, lines 1-14; Figure 4, block 400); computer readable program code configured to 
synchronously apply, at respective ones of the plurality of nodes, a first blocking measure A to 
the anomalous traffic that stops the anomalous traffic (Page 3, lines 16-30; Page 9, lines 15-19; 
Figure 4, block 405); and computer readable program code configured to synchronously 
detemine, at the respective ones of the plurality of nodes a, second blocking ineasure B such 
application of a logical combination of the first blocking measure A and the second blocking 
measure B to stop the anomalous traffic (Page 3, lines 16-30; Page 9, lines 19-25; Figure 4, block 
410, Page 10, lines 21-24; Figure 5, block 505). 



GROUTSfDS OF REJECTION 

The grounds of rejection to be reviewed on appeal are: 

(a) the final rejection of Claims 20, 21-30 under 35 U.S.C. § 101 as being directed to 
non-statutory subject matter; and 

(b) the final rejection of Claims 1-30 under 35 U.S.C. § 102 (b) as being anticipated by 
U.S. Patent No. 6,738,814 to Cox et al. (hereafter Cox). 
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ARGUMENT 



1. Reiections of Claims 20-30 under 35 U.S,C, $ 101 

On page 3 of the Final Office Action, Claims 20 and 21-30 are rejected under 35 U.S.C. § 
101 as being directed to non-statutory subject matter. The § 101 rejection is not well founded 
and should be reversed. 

A, The Reiection of Claims 21-30 under 35 U,S.C, S 101 should be reversed 

The final rejection of Claims 21-30 under 35 U.S.C. § 101 should be reversed because 
Claims 21-30 are clearly directed to statutory subject matter. 

With respect to Claims 21-30, Appellants' example Claim 21 recites a " tangible 
computer storage medium having computer readable program code embodied therein". At page 
6, lines 11-15 of the specification, there is defined a physical storage structure (storage system 
225) of a data processing system. Therefore, the recitation within the claims clearly defines a 
physical structure (i.e. the storage medium) which complies with a first portion of 35 U.S.C. § 
101. Furthermore, Appellants' Claim 21 recites a tangible computer storage medium having 
computer readable program code which executes on a processor to perform the tangible result of 
applying a first blocking measure and determining a second blocking measure. The tangible 
result provided within the claim is the product of the functional steps of: (1) "autonomously 
monitor", (2) "detect an anomaly", (3) "independently apply", and (4) "independently 
determine" as recited in Appellants' Claim 21. The tangible result portion of 35 U.S.C. § 101 is 
also complied with._The rejection of Claims 21-30 under 35 U.S.C. § 101 as directed to non- 
statutory subject matter should therefore be reversed. 
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B, The Rejection of Claim 20 under 35 U,S.C. 8 101 should be reversed 

The final rejection of exemplary Claim 20 under 35 U.S.C. § 101 should be reversed. 

With respect to Appellants' Claim 20, lines 20-24 of the specification recite a data 
processing system that provides a processor and memory that may be used for determining 
blocking measures for responding to communication traffic anomahes. The "means" as recited 
in Applicants' Claim 20 refer to the processor of the data processing system executing specific 
program instructions to generate the specific fimctions indicated by the claim elements. The 
rejection of Claim 20 under 35 U.S.C. § 101 as directed to non-statutory subject matter should 
therefore be reversed. 

n. Rejections of Claims 1-30 under 35 U.S>C> S 102 

On page 4 of the Final Ofifice Action, Claims 1-30 are rejected under 35 U.S.C. § 102(b) 
as anticipated by U.S. Patent No. 6,738,814 to Cox et al. The rejection is not well founded and 
should be reversed. 

A, The Rejection of Claim 1 under 35 U.S,C, 8 lOlfb) based on Cox should be 
reversed 

The rejection of Claim 1 as anticipated by Cox should be reversed because Cox does not 
disclose the following features of exemplary Claim 1 : 

independently applying, at respective ones of the plurality of nodes, a first 
blocking measure A to the anomalous traffic that stops the anomalous traffic; and 

independently determining, at the respective ones of the plurality of nodes, 
a second blocking measure B such that appHcation of a logical combination of the 
first blocking measure A and the second blocking measure B to stop the 
anomalous traffic. 

With respect to the above features of Claim 1, page 4 of the Final Office Action relies 
upon col. 3, lines 30-54 and col. 4, lines 54-61 of Cox. The cited sections of Cox, however, do 
not disclose applying a first blocking measure or deterrnining a combination of a first blocking 
measure and a second measure that would stop anomalous traffic. 
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Appellants respectfully traverse the Examiner's position because the sections of Cox 
cited by the Examiner do not disclose two (i.e. &st and second) blocking measures or 
determining a combination of the first and second blocking measures that stops anomalous 
traffic, as set forth in Appellants' Claim 1. Cox discloses a single process that analyzes an 
incoming packet against known malicious pattems, and in response to detecting a malicious 
packet, drops the malicious packet or denies a connection request of the sender of the malicious 
packet. Appellants' claimed invention, in contrast, recites determining and applying a 
combination of the first blocking measure and a second blocking measure to stop anomalous 
traffic. In this manner, the invention recited in Claim 1 uses a combination of the two blocking 
measures to only block anomalous traffic at specific nodes, while allowing valid traffic to pass 
through. Without the Appellants' claimed technique of applying two blocking measures, the 
valid traffic may be otherwise blocked utilizing conventional techniques such as those taught by 
Cox (see, for example, page 9, lines 15-30 of the specification). 

Because Cox does not disclose the claimed "applying" and "determining" steps related to 
two blocking measures as is recited in Appellants' Claim 1, the rejection of Claim 1 and its 
dependent claims under 35 U.S.C. § 102 as anticipated by Cox is not well founded and should be 
reversed. Additionally the claimed "applying" and "determining" steps recited in Appellants' 
Claim 1 are also not suggested by Cox. 

B. The Rejection of Claim 10 under 35 U.S.C. S 102fb^ based on Cox should be 
reversed 

The rejection of Claim 10 as anticipated by Cox should be reversed because Cox does not 
disclose the following features of exemplary Claim 10: 

synchronously applying, at respective ones of the plurality of nodes, a first 
blocking measure A to the anomalous traffic that stops the anomalous traffic; and 

synchronously determining, at the respective ones of the plurality of 
nodes, a second blocking measure B such that application of a logical 
combination of the first blocking measure A and the second blocking measure B 
to stop the anomalous traffic. 
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With respect to the above features of Claim 10, page 4 of the Final Office Action relies 
upon col. 3, lines 30-54 and col 4, lines 54-61 of Cox, The cited sections of Cox, however, do 
not disclose synchronously applying a first blocking measure or synchronously determining a 
combination of a first blocking measure and a second measure that would stop anomalous traffic. 

Appellants respectfully traverse the Examiner's position because the sections of Cox 
cited by the Examiner do not disclose two (i.e. first and second) blocking measures or 
determining a combination of the first and second blocking measures that stops anomalous 
traffic, as set forth in Appellants' Claim 10. Cox discloses a single process that analyzes an 
incoming packet against known malicious patterns, and in response to detecting a malicious 
packet, drops the malicious packet or denies a connection request of the sender of the malicious 
packet. Appellants' claimed invention in contrast recites synchronously determining and 
synchronously applying a combination of Ihe first blocking measure and a second blocking 
measure across a plurality of nodes in a communication network to stop anomalous traffic. In 
this manner, the invention recited in Claim 10 uses a combination of the two blocking measures 
to only block anomalous traffic synchronously across a plurality of nodes, while allowing valid 
traffic to pass through. Without the Appellants claimed technique of applying two blocking 
measures, the valid traffic may be othenvise blocked utilizing conventional techniques such as 
those taught by Cox (see, for example, page 9, lines 15-30 of the specification). 

Because Cox does not disclose the claimed "synchronously applying" and 
"synchronously determining" steps related to two blocking measures as is recited in Appellants' 
Claim 10, the rejection of Claim 10 under 35 U.S.C. § 102 as anticipated by Cox is not well 
founded and should be reversed. Additionally the claimed "synchronously applying" and 
"synchronously determining" steps recited in Appellants' Claim 10 are also not suggested by 
Cox. 
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C. The Reiection of Claim 11 under 35 U,S.C, S 102(b) based on Cox should be 
reversed 

The rejection of Claim 1 1 as anticipated by Cox should be reversed because Cox does not 
disclose the following features of exemplary Claim 1 1 : 

means for independently applying, at respective ones of the plurality of 
nodes, a first blocking measure A to the anomalous traffic that stops the 
anomalous traffic; and 

means for independently deterinining, at the respective ones of the 
plurality of nodes a, second blocking measure B such that application of a logical 
combination of the first blocking measure A and the second blocking measure B 
to stop the anomalous traffic. 

With respect to the above features of Claim 11, page 4 of the Final Office Action relies 
upon col. 3, lines 30-54 and col. 4, lines 54-61 of Cox. The cited sections of Cox^ however, do 
not disclose applying a first blocking measure or determiiung a combination of a first blocking 
measure and a second measure that would stop anomalous traffic. 

Appellants respectfiiUy traverse the Examiner's position because the sections of Cox 
cited by the Examiner do not disclose two (i.e. first and second) blocking measures or 
determifflng a combination of ^^t^^ first and second blocking measures that stops anomalous 
traffic, as set forth in Appellants' Claim 11. Cox discloses a single process that analyzes an 
incoming packet against known malicious patterns, and in response to detecting a malicious 
packet, drops the malicious packet or denies a connection request of the sender of the malicious 
packet. Appellants' claimed invention in contrast recites determining and applying a 
combination of the first blocking measure and a second blocking measure to stop anomalous 
traffic. In this manner, the invention recited in Claim 1 1 uses a combination of the two blocking 
measures to only block anomalous traffic at specific nodes, while allowing valid traffic to pass 
through. Without the Appellants claimed technique of applying two blocking measures, the 
valid traffic may be otherwise blocked utilizing conventional techniques such as those taught by 
Cox (see, for example, page 9, lines 15-30 of the specification). 
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Because Cox does not disclose the claimed "applying'' and "determining" steps related to 
two blocking measures as is recited in Appellants' Claim 11, the rejection of Claim 11 and its 
dependent claims under 35 U.S.C. § 102 as anticipated by Cox is not well founded and should be 
reversed. Additionally the claimed "applying" and "determining" steps recited in Appellants' 
Claim 1 1 are also not suggested by Cox. 

D. The Rejection of Claim 20 under 35 U.S.C. § 102(b) based on Cox should be 
reversed 

The rejection of Claim 20 as anticipated by Cox should be reversed because Cox does not 
disclose the following features of exemplary Claim 20: 

means for synchronously applying, at respective ones of the plurality of 
nodes, a first blocking measure A to the anomalous traffic that stops the 
anomalous traffic; and 

means for synchronously detemiining a second blocking measure B at the 
respective ones of the plurahty of nodes such that application of a logical 
combination of the first blocking measure A and the second blocking measure B 
to stop the anomalous traffic. 

With respect to the above features of Claim 20, page 4 of the Final Office Action relies 
upon col. 3, lines 30-54 and col. 4, lines 54-61 of Cox. The cited sections of Cox, however, do 
not disclose synchronously applying a first blocking measure or synchronously determining a 
combination of a first blocking measure and a second measure that would stop anomalous traffic. 

Appellants respectfully traverse the Examiner's position because the sections of Cox 
cited by the Examiner do not disclose two (i.e. first and second) blocking measures or 
determining a combination of the first and second blocking measures that stops anomalous 
traffic, as set forth in Appellants' Claim 20. Cox discloses a single process that analyzes an 
incoming packet against known mahcious pattems, and in response to detecting a malicious 
packet, drops the malicious packet or denies a connection request of the sender of the malicious 
packet. Appellants' claimed invention in contrast recites svnchronouslv determining and 
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synchronously applying a combination of the first blocking measure and a second blocking 
measure across a plurality of nodes in a communication network to stop anomalous traffic. In 
this manner, the invention recited in Claim 20 uses a combination of the two blocking measures 
to only block anomalous traffic synchronously across a plurality of nodes , while allowing yahd 
traffic to pass through. Without the Appellants claimed technique of applying two blocking 
measures, the vaUd traffic may be otherwise blocked utilizing conyentional techniques such as 
those taught by Cox (see, for example, page 9, lines 15-30 of the specification). 

Because Cox does not disclose the claimed "synchronously applying" and 
"synchronously determining" steps related to two blocking measures as is recited in Appellants' 
Claim 20, the rejection of Claim 20 under 35 U.S.C. § 102 as anticipated by Cox is not well 
founded and should be reversed. Additionally the claimed "synchronously applying" and 
"synchronously determining" steps recited in Appellants' Claim 20 are also not suggested by 
Cox. 

E> The Rejection of Claim 21 iiiider 35 U,S.C, S 102fbl based on Cox should be 

reversed 

The rejection of Claim 21 as anticipated by Cox should be reversed because Cox does not 

disclose the following features of exemplary Claim 21: 

computer readable program code configured to independently apply, at 
respective ones of the plurality of nodes, a first blocking measure A to the 
anomalous traffic that stops the anomalous traffic; and 

computer readable program code configured to independently determine at 
the respective ones of the plurality of nodes a second blocking measure B such 
that application of a logical combination of the first blocking measure A and the 
second blocking measure B to stop the anomalous traffic. 

With respect to the above features of Claim 21, page 4 of the Final Office Action relies 
upon col. 3, lines 30-54 and col. 4, lines 54-61 of Cox. The cited sections of Cox, however, do 
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not disclose applying a first blocking measure or determining a combination of a first blocking 
measure and a second measure that would stop anomalous traffic. 

Appellants respectfially traverse the Examiner's position because the sections of Cox 
cited by the Examiner do not disclose two (i.e. first and second) blocking measxires or 
determining a combination of the first and second blocking measures that stops anomalous 
traffic, as set forth in Appellants' Claim 21. Cox discloses a single process that analyzes an 
incoming packet against known malicious pattems, and in response to detecting a malicious 
packet, drops the malicious packet or denies a connection request of the sender of the malicious 
packet Appellants' claimed invention in contrast recites determining and applying a 
combination of the first blocking measure and a second blocking measure to stop anomalous 
traffic. In this manner, the invention recited in Claim 21 uses a combination of the two blocking 
measures to only block anomalous traffic at specific nodes, while allowing valid traffic to pass 
through. Without the Appellants claimed technique of applying two blocking measvires, the 
valid traffic may be otherwise blocked utilizing conventional techniques such as those taught by 
Cox (see, for example, page 9, lines 15-30 of the specification). 

Because Cox does not disclose the claimed "applying" and "detennining'' steps related to 
two blocking measures as is recited in Appellants' Claim 21, the rejection of Claim 21 and its 
dependent claims under 35 U.S.C. § 102 as anticipated by Cox is not well founded and should be 
reversedv Additionally fee Glaim:ed "appl^^^ and "determining'' steps recited in Appellants' 
Claim 21 are also not suggested by Cox. 

F. The Rejection of Claim 30 under 35 V.S.C. S 102(b) based on Cox should be 
reversed 

The rejection of Claim 30 as anticipated by Cox should be reversed because Cox does not 
disclose fee following features of exemplary Claim 30: 

computer readable program code configured to synchronously apply, at 
respective ones of the plurality of nodes, a first blocking measure A to fee 
anomalous traffic that stops the anomalous traffic; and 
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computer readable program code conlBgured to synchronously determine 
at the respective ones of the plurality of nodes a second blocking measure B such 
that application of a logical combination of the first blocking measure A and the 
second blocking measure B to stop the anomalous traffic. 

With respect to the above features of Claim 30, page 4 of the Final Office Action relies 
upon col. 3, lines 30-54 and coL 4, lines 54-61 of Cox. The cited sections of Cox, however, do 
not disclose synchronously applying a first blocking measure or synchronously determining a 
combination of a first blocking measure and a second measure that would stop anomalous traffic. 

Appellants respectfiiUy traverse the Examiner's position because the sections of Cox 
cited by the Examiner do not disclose two (i.e. first and second) blocking measures or 
detennining a combination of the first and second blocking measures that stops anomalous 
traffic, as set forth in Appellants' Claim 30. Cox discloses a single process that analyzes an 
incoming packet against known malicious patterns, and in response to detecting a malicious 
packet, drops the malicious packet or denies a connection request of the sender of the malicious 
packet. Appellants' claimed invention in contrast recites svnchronouslv detenmmng and 
synchronously applying a combination of the first blocking measure and a second blocking 
measure across a plurality of nodes in a communication network to stop anomalous traffic. In 
this manner, the invention recited in Claim 30 uses a combination of the two blocking measures 
to only block anomalous traffic svnchronouslv across a plurality of nodes , while allowing valid 
traffic to pass through. Without tiae Appellants claimed technique of applying two blocking 
measures, the valid traffic may be otherwise blocked utilizing conventional techniques such as 
those taught by Cox (see, for example, page 9, lines 15-30 of the specification). 

Because Cox does not disclose the claimed "synchronously applying" and 
"synchronously determining" steps related to two blocking measures as is recited in Appellants' 
Claim 30, the rejection of Claim 30 under 35 U.S.C. § 102 as anticipated by Cox is not well 
founded and should be reversed. Additionally the claimed "synchronously applying" and 
"synchronously deterniining" steps recited in Appellants' Claim 30 are also not suggested by 
Cox. 
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G. The Rejection of Claim 2. 12. and 22 under 35 V.S.C. S 102(b) based on Cox 

should be reversed 

In addition to the reasons set forth with reference to Claim 1 (and similar Claims 1 1 and 
21) above, the final rejection of Claims 2, 12, and 22 should also be reversed because Cox does 
not disclose "applying a logical combination of A and a second blocldng measure B given by (A 
& !B) to the anomalous traffic, wherein the logical combination (A & !B) is a less restrictive 
blocking measure than a logical combination (A & B)," as recited in Appellants' Claims 2, 12, 
and 22. 

With reference to Claim 2, at page 3 of the Final Office Action the Examiner cites 
column 4 lines 28-61 of Cox. The cited passage of Cox teaches a method for blocking spoofing 
or denial of service attacks (DoS) by comparing a requested connection to existing connections 
and in response to determining the requested connection matches an existing connection, 
denying the requested connection. Thus, this section of Cox and Cox as a whole does not 
disclose applying a logical combination (A & !B) of a first blocking measure (A) and a second 
blocking measures (B) that is less restrictive than a complete logical combination of the two 
blocking measures (A & B). Cox only discloses denying a connection request in response to 
determining that a computer having the same address is already connected to a network. 
Appellante' Claim 2 in-Gontrast recites appl^^ 

that may be appUed to a traffic stream to block or reduce a flow of traffic anomalies, while still 
allowing valid traffic to pass through (see, for example, page 12, lines 21-32; and page 13, lines 
1-4 of the specification). Because Cox does not disclose applying a logical combination of 
blocking measxires as recited in Claim 2, the rejection of Claims 2, 12, and 22 under 35 U.S.C. § 
102 should be reversed. Additionally the claimed applying a logical combination of blocking 
measures as recited in Appellants' Claim 2 are also not suggested by Cox. 

H, Reiection of Claim 3. 13. and 23 under 35 U.S.C, $ 102(b) based on Cox 
should be reversed 
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The final rejection of Claims 3, 13, and 23 under 35 U.S.C. § 102 as anticipated by Cox 
should be reversed for the reasons set forth above with reference to underlying Claims 1-2, 11- 
12, and 21-22, respectively. 

I, Rejection of Claim 4> 14, and 24 under 35 U.S.C, S 1020)) based on Cox 
should be reversed 

The final rejection of Claims 4, 14, and 24 under 35 U.S.C. § 102 as anticipated by Cox 
should be reversed for the reasons set forth above with reference to underlying Claims 1-2, 11- 
12, and 21-22, respectively. 

J. Rejection of Claim 5, 15. and 25 under 35 U.S.C. S 102(b) based on Cox 
should be reversed 

The final rejection of Claims 5, 14, and 25 imder 35 U.S.C. § 102 as anticipated by Cox 
should be reversed for tiie reasons set forth above with reference to underlying Claims 1-2 and 4, 
1 1-12 and 14, and 21-22 and 24, respectively. 

K. Rejection of Claim 6. 16. and 26 under 35 U.S.C. S 102(b) based on Cox 
should be reversed 

The final rejection of Claims 6, 16, and 26 under 35 U.S.C. § 102 as anticipated by Cox 
shoidd be reversMfor 1^^^^ with refere^ice to imdCTl3dng. Claims, 1-2 and 4, 

11-12 and 14, and 21-22 and 24, respectively. 

L. Rejection of Claim 7. 17. and 27 under 35 U.S.C. S 102(b) based on Cox 
should be reversed 

The final rejection of Claims 7, 17, and 27 under 35 U.S.C. § 102 as anticipated by Cox 
should be revised for the reasons set forth above with reference to underlying Claims 1,11, and 
21, respectively. 
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M. Rejection of Claim 8, 18> and 28 under 35 U.S.C. S 102fb^ based on Cox 
should be reversed 

The final rejection of Claims 8, 18, and 28 under 35 U.S.C. § 102 as anticipated by Cox 
should be reversed for the reasons set forth above with reference to underlying Claims 1, 1 1, and 
21, respectively. 

Rejection of Claim 9. 19, and 29 under 35 U.S,C, S 1020?^ based on Cox 
should be reversed 

The final rejection of Claims 9, 19, and 29 under 35 U.S.C. § 102 as anticipated by Cox 
should be reversed for the reasons set forth above with reference to underlying Claims 1,11, and 
21, respectively. 



Page 22 of 33 
Docket No. RSV^920030105US1 



CONCLUSION 

The foregoing remarks demonstrate that Cox does not disclose each and evoy feature of 
Appellants' Claims 1-30 as required to support a rejection under 35 U.S.C. § 102(b). Appellants 
have also shown that the Claims recite statutory subject matter under 35 U.S.C. § 101. 
Appellants therefore respectfully request llie Board reverse the rejection of each of Claims 1-30. 

AppUcants ftirther respectfully request the Examiner contact the undersigned attorney of 
record at 512.343.6116 if such would further or expedite the prosecution of the present 
Application. 




Eustace P. Isidore 
Reg. No. 56,104 
Dillon & Yudell llp 
891 1 N. Capital of Texas Highway 
Suite 21 10 
Austin, Texas 78759 
(512) 343-6116 

ATTORNEY FOR APPELLANTS 
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CLAIMS APPENDIX 



1. A method of operating a commimication network, comprising: 

autonomously monitoring conmiunication traffic at a communication port for an 
anomalous traffic; 

detecting an anomaly in communication traffic at a plurality of nodes in the 
communication network, wherein the anomaly is an attack other than a worm or virus; 

independently applying, at respective ones of the plurality of nodes, a first blocking 
measure A to the anomalous traffic that stops the anomalous traffic; and 

independently determining, at the respective ones of the plurality of nodes, a second 
blocking measure B such that application of a logical combination of the first blocking measure 
A and the second blocking measure B to stop the anomalous traffic. 

2. The method of claim 1, wherein independently determining the second blocking measure B 
comprises: 

applying a logical combination of A and a second blocking measure B given by (A & 
!B) to the anomalous traffic, wherein tihie logical combination (A & !B) is a less restrictive 
blocking measure than a logical combination (A & B); and 

enforcing the logical combination (A & !B), if the logical combination (A & !B) stops the 
anomalous traffic. 

3. The method of claim 2, further comprising: 

independently determining a third blocking measure C, at the respective ones of the 
plurality of nodes, such that application of a logical combination of (A & !B) and the third 
blocking measure C to the anomalous traffic stops the anomalous traffic, if the logical 
combination (A & !B) stops the anomalous traffic. 

4. The method of claim 2, wherein independently determining the second blocking measure B 
further comprises: 

applying a logical combination (A & B) to the anomalous traffic if the logical 
combination (A & !B) does not stop the anomalous traffic; and 
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enforcing the logical combination (A & B), if the logical combination (A & B) stops the 
anomalous traffic. 

5. The method of claim 4, further comprising: 

independently determining a third blocking measure at the respective ones of the 
plurality of nodes, such that application of a logical combination of (A & B) and the third 
blocking measure C to the anomalous traffic stops the anomalous traffic, if the logical 
combination (A & B) stops the anomalous traffic. 

6. The method of claim 4, farther comprising: 

determining a third blocking measure C, at the respective ones of the plurality of nodes, 
such that application of a logical combination of A and the third blocking measure C to the 
anomalous traffic stops the anomalous traffic, if the logical combination (A & B) does not stop 
the anomalous traffic. 

7. The method of claim 1 , wherein detecting an anomaly in the communication traffic comprises: 

comparing the communication traffic to at least one anomaly factor; and 
detecting the anomaly in the communication traffic at the plurality of nodes in the 
communication network if the at least one anomaly factor is present in the communication 
traffic. 

8. The method of claim 1, finther comprising: 

assigning a severity to the detected anomaly; and 

wherein independently applying the first blocking measure A to the anomalous traffic 
comprises independently applying the first blocking measure A to the auomalous traffic at each 
of the plurality of nodes in the communication network that stops or reduces the flow of the 
anomalous traffic based on the severity of tiie detected anomaly. 

9. The method of claim \, further comprising: 

intentionally inserting the anomaly in the communication traffic; and 
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associating the &st blocking measure A and the second blocking measure B with the 
anomaly. 

10. A method of operating a communication network, comprising: 

detecting an anomaly in communication traffic at a plurality of nodes in the 
communication network; 

synchronously applying, at respective ones of the plurality of nodes, a first blocking 
measure A to the anomalous traffic that stops the anomalous traffic; and 

synchronously determining, at the respective ones of the plurality of nodes, a second 
blocking measure B such that application of a logical combination of the first blocking measure 
A and the second blocking measure B to stop the anomalous traffic. 

1 1 . A system for operating a communication network, comprising: 

a processor; 

program means executing on the processor including: 

means for autonomously monitoring communication traffic at a communication port for 

an anomalous traffic; 

means for detecting an anomaly in communication traffic at a plurality of nodes in the 
communication network, wherein the anomaly is an attack other than a worm or virus; 

me ans for independently appl yin g, at respective ones of the pliirality of nqdes^^ 
blocking measure A to the anomalous traffic that stops the anomalous traffic; and 

means for independently deterniining, at the respective ones of the plurality of nodes a, 
second blocking measure B such that application of a logical combination of the first blocking 
measure A and the second blocking measure B to stop the anomalous traffic. 

12. The system of claim 1 1 , wherein the means for independentiy determining the second 
blocking measure B comprises: 

means for applying a logical combination of A and a second blocking measure B given 
by (A & !B) to the anomalous traffic, wherein the logical combination (A & !B) is a less 
restrictive blocking measure than a logical combination (A & B); and 
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means for enforcing the logical combination (A & !B), if the logical combination (A & 
!B) stops the anomalous traffic. 

13. The system of claim 12, further comprising: 

means for independently determining, at the respective ones of the plurality of nodes, a 
third blocking measure C such that application of a logical combination of (A & !B) and the third 
blocking measure C to the anomalous traffic stops the anomalous traffic, if the logical 
combination (A & !B) stops the anomalous traffic. 

14. The system of claim 12, wherein the means for independently determining the second 
blocking measure B further comprises: 

means for applying a logical combination (A & B) to the anomalous traffic if the logical 
combination (A & !B) does not stop the anomalous traffic; and 

means for enforcing the logical combination (A & B), if the logical combination (A & B) 
stops the anomalous traffic. 

15. The system of claim 14, further comprising: 

means for independently determining, at the respective ones of the plurality of nodes, a 
third blocking measure C such that application of a logical combination of (A & B) and the third 
b locki n g measure C to th e an o malous traffic stops the momalous traffic, if the logical 
combination (A & B) stops the anomalous traffic. 

16. The system of claim 14, further comprising: 

means for determining, at the respective ones of the plurality of nodes, a third blocking 
measure C such that application of a logical combination of A and the third blocking measure C 
to the anomalous traffic stops the anomalous traffic, if the logical combination (A & B) does not 
stop the anomalous traffic. 

17. The system of claim 1 1, wherein the means for detecting an anomaly in the communication 
traffic comprises: 

means for comparing the communication traffic to at least one anomaly factor; and 
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means for detecting the anomaly in the communication traffic at the plurality of nodes in 
the communication network, if the at least one anomaly factor is present in the communication 
traffic. 

1 8. The system of claim 1 1 , further comprising: 

means for assigning a severity to the detected anomaly; and 
wherein the means for independently applying the first blocking measure A to the 
anomalous traffic comprises means for independently applying the first blocking measure A to 
the anomalous traffic at each of the plurality of nodes in the communication network that stops 
or reduces the flow of the anomalous traffic based on the severity of the detected anomaly. 

19. The system of claim 11, fijrther comprising: 

means for intentionally inserting the anomaly in the communication traffic; and 
means for associating the first blocking measure A and the second blocking measure B 
with the anomaly. 

20. A system for operating a communication network, comprising: 

means for detecting an anomaly in communication traffic at a plurality of nodes in the 
communication network; 

means for synchronously applying^ a t resp ective ones of the plu rality of nodes, a first 
blocking measure A to the anomalous traffic that stops the anomalous traffic; and 

means for synchronously determining a second blocking measure B at the respective ones 
of the plurality of nodes such that application of a logical combination of the first blocking 
measure A and the second blocking measure B to stop the anomalous traffic. 

21. A computer program product for operating a communication network, comprising: 

a tangible computer storage medium having computer readable program code embodied 
therein, the computer readable program code comprising: 

computer readable program code configured to autonomously monitor 
communication traffic at a communication port for an anomalous traffic; 
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computer readable program code configured to detect an anomaly in 
communication traffic at a plurality of nodes in the communication network, wherein the 
anomaly is an attack other than a worm or virus; 

computer readable program code configured to independently apply, at respective 
ones of the plurality of nodes, a first blocking measure A to the anomalous traffic that 
stops the anomalous traffic; and 

computer readable program code configured to independently determine at the 
respective ones of the plurality of nodes a second blocking measure B such that 
appUcation of a logical combination of the first blocking measure A and the second 
blocking measure B to stop the anomalous traffic. 

22. The computer program product of claim 21, wherein the computer readable program code 
configured to independently determine the second blocking measure B comprises: 

computer readable program code configured to apply a logical combination of A and a 
second blocking measure B given by (A & !B) to the anomalous traffic, wherein the logical 
combination (A & !B) is a less restrictive blocking measure than a logical combination (A & B); 
and 

computer readable program code configured to enforce the logical combination (A & !B) 
if the logical combination (A & !B) stops the anomalous traffic. 

23. The computer program product of claim 22, further comprising: 

computer readable program code configured to independently determine, at the 
respective ones of the plurality of nodes, a third blocking measure C such that application of a 
logical combination of (A & !B) and the third blocking measure C to the anomalous traffic stops 
the anomalous traffic if the logical combination (A & !B) stops the anomalous traffic. 

24. The computer program product of claim 22, wherein the computer readable program code 
configured to independently determine the second blocking measure B further comprises: 

computer readable program code configured to apply a logical combination (A & B) to 
the anomalous traffic if the logical combination (A & !B) does not stop the anomalous traffic; 
and 
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computer readable program code configured to enforce the logical combination (A & B), 
if the logical combination (A & B) stops the anomalous traffic. 

25. The computer program product of claim 24, further comprising: 

computer readable program code configured to independently determine, at the respective 
ones of the plurality of nodes, a third blocking measure C such that application of a logical 
combination of (A & B) and the third blocking measure C to the anomalous traffic stops the 
anomalous traffic, if the logical combination (A & B) stops the anomalous traffic. 

26. The computer program product of claim 24, further comprising: 

computer readable program code configured to determine, at the respective ones of the 
plurality of nodes, a third blocking measure C such that application of a logical combination of A 
and the third blocking measure C to the anomalous traffic stops the anomalous traffic, if the 
logical combination (A & B) does not stop the anomalous traffic. 

27. The computer program product of claim 21, wherein the computer readable program code 
configured to detect an anomaly in the communication traffic comprises: 

computer readable program code configured to compare the communication traffic to at 
least one anomaly factor; and 

computer readable program code configured to detect the anomaly m the c^^^ 
trafl&c at the plurality of nodes in the communication network, if the at least one anomaly factor 
is present in the conamunication traffic. 

28. The computer program product of claim 21, further comprising: 

computer readable program code configured to assign a severity to the detected anomaly; 

and 

wherein the computer readable program code configured to independently apply the first 
blocking measure A to the anomalous traffic comprises computer readable program code 
configured to independently apply the first blocking measure A to the anomalous traffic at each 
of the plurality of nodes in the communication network that stops or reduces the flow of the 
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anomalous traffic based on the severity of the detected anomaly. 

29. The computer program product of claim 21, further comprising: 

computer readable program code configured to intentionally insert the anomaly in the 
conmiunication traffic; and 

computer readable program code configured to associate the first blocking measure A and 
the second blocking measure B with the anomaly. 

30. A computer program product for operating a communication network, comprising: 

a tangible computer storage medium having computer readable program code embodied 
therein, the computer readable program code comprising: 

computer readable program code configured to detect an anomaly in 
communication traffic at a plurality of nodes in the communication network; 

computer readable program code configured to synchronously apply, at respective 
ones of the plurality of nodes, a first blocking measure A to the anomalous traffic that 
stops the anomalous traffic; and 

computer readable program code configured to synchronously determine at the 
respective ones of the plurality of nodes a second blocking measure B such that 
application of a logical combination of the first blocking measure A and the second 
blocking me^ 
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EVIDENCE APPENDIX 

(NONE) 
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APPENDIX C 
RELATED PROCEEDINGS AND INTERFERENCES 

(NONE) 
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